By Kris Lovejoy, Global Cybersecurity and Resiliency Leader at Kyndryl
Are organizations really prepared for IT disruptions? Most companies think so.
According to a new Kyndryl survey, 88% of respondents said their organization is well prepared to manage and recover from any adverse conditions, cyberattacks or compromises that disrupt their IT assets. However, there’s a disconnect between overconfident thinking and the reality that 92% of respondents said their organization experienced adverse events in the last two years.
Kyndryl surveyed 300 IT decision-makers from large enterprises to learn about the adversity they’ve faced, the risks they’re most concerned about and their cyber resilience strategies — meaning how well they can anticipate, protect against, withstand and recover from disruptions.
How organizations manage cyber risk is within their control to an extent. Whether organizations see a long road ahead in managing IT risks or feel confident they are on their way to success, there’s an opportunity to justify this confidence.
Here are seven strategies organizations can take to chart a path toward cyber resilience.
1. Engage the business from the start — and break down silos
IT organizations too often operate in a silo, separate from other parts of the business. The surest way for a cyber resilience strategy to succeed is to break the silo. Invite people who aren’t in IT to the table and anchor conversations about cyber resilience in the organization’s mission. Make resilience part of the organizational culture.
2. Take inventory
Many organizations are challenged by an ever-expanding and complex IT footprint. It’s important to identify and map critical IT assets that will sustain and move business objectives. These assets will be the top priority to protect and, at worst, recover following an adverse event.
3. Move to a zero-trust framework
It’s important to have a deny-by-default standard to ensure that only those who need to access systems can get it, while those who do not need to, can’t.
4. Establish a crisis management plan — and drill it
Sometimes adverse events are unavoidable. Case in point: human error is the most anticipated cause of IT disruptions. Defining roles and responsibilities across teams, establishing a communication process, documenting processes and improving transparency often helps reduce the impact of an adverse event. Once a plan is created, it’s important to test it regularly.
5. Continuously modernize your cyber resilience strategy
Business goals shift, IT estates becomes more complex and external forces like regulations can require changes. To ensure your cyber resilience strategy is effective, these foundational steps must be part of an ongoing discussion.
6. Implement a robust cyber incident recovery plan
As digital transformation and hyper-convergence create unintended gateways to cyber risks, vulnerabilities, attacks and failures, a cyber resiliency strategy quickly becomes necessary. A cyber resiliency strategy helps organizations reduce risks, financial impact and reputational damages.
7. Inform management and the board of directors often
Most important, do not wait until it is too late. Keeping company leadership and its respective board informed about cyber events and other IT risks — including plans to mitigate those risks — can help drive top-down organizational alignment and the changes necessary to ensure cyber-enabled systems can remain operational during adverse events.
With a strong cyber resilience strategy in place, companies can keep pace with the rapidly evolving digital environment and the increasingly more sophisticated cyber threats, while also ensuring swift recovery in the event of an attack.
In recognition of Cybersecurity Awareness Month, this is the first installment of a weekly series in October that highlights how organizations can anticipate, protect against, withstand and recover from cyberattacks.